## Data protection policies Data protection in Agen for SaaS enables you to mask sensitive information in tool responses before they reach AI agents. This ensures compliance with regulations like GDPR, HIPAA, CCPA, and PCI DSS by preventing sensitive data from being exposed through AI interactions. ![data-protection](/assets/data-protection.9a3ec9d8d70f18b8377d3f626e40aa45652ae1abdd0aff1e54c22f23d0377522.212f8da4.png) ### Data protection overview The Data protection screen displays the following header: > **Data protection policies** — Create policies to mask sensitive information like PII and PHI based on agent attributes and compliance needs The screen includes a search bar and a **Create** button. Existing policies are displayed in a table with the following columns: | Column | Description | | --- | --- | | **Status** | A toggle switch to activate or deactivate the policy. | | **Policy name** | The name of the policy (e.g., "Mask PII"). | | **Protection types** | Badges showing the compliance categories applied (e.g., `GDPR` +3). | | **Tools** | The tools this policy applies to, shown as badges (e.g., `List_all_expenses`). | | **Policy targeting** | The conditional expression that determines when the policy is applied (e.g., `country in_list US`). | Each row has a three-dot menu for editing or deleting the policy. ### Creating a data protection policy Click **Create** to open the policy creation dialog. The dialog contains the following fields: #### Policy name A descriptive name for the policy (e.g., "Mask PII", "HIPAA compliance"). #### Description (optional) A brief description of what the policy protects. Maximum 180 characters. Placeholder: "Describe what this policy protects" #### Data types to protect A multi-select dropdown to choose which categories of sensitive data to mask. Data types are organized by regulatory framework, with a **Select all** option for each category: **PHI — Protected Health Information (39 types)** Includes health-related identifiers such as: - Au Medicare - Canada Health Service Number - Canada Personal Health Id Number Phin - Canada Social Insurance Number - Dutch Bank Account Number - Email Address - Germany Drivers License Number - Germany Id Number - Germany Passport Number - And 30 more types Additional categories include **PII**, **GDPR**, **PCI DSS**, **CCPA**, and **COPPA**, each containing relevant data type definitions. #### Policy tools Assign the policy to specific tools. Only tool responses from the selected tools are subject to masking. Placeholder: "Select policy tools" #### Policy targeting Define conditional expressions that determine **when** the masking policy is applied. Targeting uses the same expression builder as policies: **IF** `[Attribute]` `[Operator]` `[Value]` | Component | Description | Example | | --- | --- | --- | | **Attribute** | The request attribute to evaluate. | `Country` | | **Operator** | The comparison operator. | `In` | | **Value** | The value(s) to compare against. Multiple values can be selected. | `United States` | Click **+ and** to add additional conditions. All conditions must be true for the policy to apply. Click the minus icon to remove a condition. Click **Create** to save the policy, or **Cancel** to discard. ### How data protection works When an AI agent invokes a tool that has an active data protection policy: 1. The tool call passes through authentication, access control, and policies as normal. 2. The request is forwarded to the tool's API endpoint. 3. The API response is intercepted by the data protection layer. 4. If the policy's targeting conditions match the request context, Agen for SaaS scans the response for the configured data types. 5. Any matching sensitive data is masked or redacted before the response is returned to the AI agent. Data protection is applied **after** the API returns its response and **before** the response reaches the AI agent, ensuring sensitive data never leaves your governance boundary. ### Activating and deactivating policies Each data protection policy has a toggle in the **Status** column: - **Active** (toggle on) — The policy is enforced on matching tool responses. - **Inactive** (toggle off) — The policy is preserved but not enforced. ### Example: Mask PII for US-based requests **Scenario:** Mask all PII and GDPR-regulated data types when the requesting user is in the United States. 1. Click **Create**. 2. Set **Policy name** to "Mask PII". 3. Select **GDPR** and related data type categories in **Data types to protect**. 4. Select `List_all_expenses` in **Policy tools**. 5. In **Policy targeting**, set: IF `Country` `In` `United States`. 6. Click **Create**. Result: When a US-based user's AI agent calls the `List_all_expenses` tool, sensitive fields matching GDPR data types are automatically masked in the response. ### Related topics - [Masking types](/agen-for-saas/data-protection/masking-types) - [Policies](/agen-for-saas/policies/overview) - [Access control](/agen-for-saas/access-control/overview) - [Tools → About tools](/agen-for-saas/tools/about-tools)